On 9/6/23 07:25, Richard Troy wrote:
The relaying only started and stopped when Dovecot was turned on or off.
Isn't it true that Dovecot performs an authentication function for inbound connect requests, the successful of which then may use the submission mechanism from what Postfix takes to be an internal connection to send emails? Is this mistaken?
However, I get your point and I've spent a lot of work on that area. And, you may well be right that that's where I need to turn - that is, to Postfix. Thanks for the link.
The problem will likely be postfix.
However if your dovecot SASL is broken, say always permitting access with or without correct password, then there will be a problem
This is part of my postfix configuration aand my system doesn't relay. The key lines are all those with
permit_sasl_authenticated
relay_domains = $mydestination
unknown_local_recipient_reject_code = 550 unknown_client_reject_code = 550
#home_mailbox = Maildir/
mailbox_transport = lmtp:unix:private/dovecot-lmtp
#transport_maps = hash:/etc/postfix/transport
# Junk controls
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks permit_sasl_authenticated reject_invalid_helo_hostname reject_non_fqdn_helo_hostname reject_unknown_helo_hostname # reject_rbl_client dnsbl-1.uceprotect.net # reject_rbl_client cbl.abuseat.org
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_pipelining reject_non_fqdn_recipient reject_unknown_recipient_domain reject_unauth_destination permit # reject_rbl_client zen.spamhaus.org # reject_rbl_client bl.spamcop.net
smtpd_sender_restrictions = permit_mynetworks permit_sasl_authenticated reject_unknown_sender_domain reject_unknown_reverse_client_hostname reject_unknown_client_hostname
smtpd_data_restrictions = reject_unauth_pipelining, permit
strict_rfc821_envelopes = yes disable_vrfy_command = yes
# Redirect mail
smtp_header_checks = regexp:/etc/postfix/smtp_header_checks
# Reduce the time Postfix will sit idle after a client issues STARTTLS. smtpd_starttls_timeout = 60s
# Renegotiate TLS sessions every hour. smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom
# Enable SMTP AUTH.
# This requires TLS on port 25
smtpd_sasl_auth_enable = yes
# Don't allow anonymous logins. DO NOT add noplaintext here, or # authentication with saslauthd will become impossible.
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain =
# Some clients send malformed AUTH commands. broken_sasl_auth_clients = yes
# Only allow AUTH when a TLS session is active, to reduce the # possibility for password and message body snooping.
smtpd_tls_auth_only = yes
# Tarpitting
smtpd_error_sleep_time = 50 smtpd_hard_error_limit = 2
smtpd_soft_error_limit = 1
smtpd_junk_command_limit = 10
alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases
mailbox_size_limit = 0 recipient_delimiter = +
inet_protocols = all compatibility_level = 3.6
policy-spf_time_limit = 3600s html_directory = /usr/share/doc/postfix/html
# Milter configuration milter_default_action = accept milter_protocol = 6 smtpd_milters = local:opendkim/opendkim.sock non_smtpd_milters = $smtpd_milters
smtputf8_enable = no
postscreen_access_list = permit_mynetworks postscreen_blacklist_action = enforce postscreen_greet_action = enforce postscreen_dnsbl_action = enforce postscreen_dnsbl_sites = swl.spamhaus.org*-4 list.dnswl.org=127.0.[0..255].[1..3]*-5 zen.spamhaus.org=127.0.[1..2].[0..255]*3 b.barracudacentral.org*2 bl.spameatingmonkey.net bl.spamcop.net postscreen_dnsbl_threshold = 2
smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
--